php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login

go to bug id or search bugs for

Bug #66469 PHP creates two session ids when using strict mode
Submitted: 2014-01-12 08:28 UTC Modified: 2014-01-22 05:00 UTC
From: oz at zend dot com Assigned: yohgaki (profile)
Status: Closed Package: Session related
PHP Version: 5.5.8 OS: All
Private report: No CVE-ID: None
View Developer Edit
Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.
Password:
Status:
Package:
Bug Type:
Summary:
From: oz at zend dot com
New email:
PHP Version: OS:

 

 [2014-01-12 08:28 UTC] oz at zend dot com 
Description:
------------
When you enable the strict mode and then you execute session_start() without supplying a PHPSESSID (using php-cgi, cli, or ApacheBench for example), PHP creates two session ids and returns two SetCookie headers with both session ids.

I believe the second session id can be avoided since PHP knows it just created the session id for the first time.

Test script:
---------------
<?php
ini_set("session.use_strict_mode", "1");
ini_set("session.save_handler", "files");
session_start();
?>


Expected result:
----------------
"
Set-Cookie: PHPSESSID=k6brqpp9rnh2ajo2tch4l68t84; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-type: text/html
"


Actual result:
--------------
"
Set-Cookie: PHPSESSID=k1hn6r22om8kiq60nq72hhsa52; path=/
Set-Cookie: PHPSESSID=k6brqpp9rnh2ajo2tch4l68t84; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-type: text/html
"

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2014-01-15 14:33 UTC] kaplan@php.net 
This commit might be relevant for this bug: http://git.php.net/?p=php-src.git;a=commitdiff;h=167eaedcbdb494c87c4f83d2897a9fdb614e7062
 [2014-01-17 03:37 UTC] yohgaki@php.net
-Status: Open +Status: Closed -Assigned To: +Assigned To: yohgaki
 [2014-01-17 03:37 UTC] yohgaki@php.net 
Thank you, kaplan.
The commit is the fix. I don't know why the link shows patch applicable only to 5.6 branch, though. (It's not in 5.5 branch)

Closing.
 [2014-01-17 03:40 UTC] yohgaki@php.net 
BTW, 5.6 part of diff is committed last year, not this year.
 [2014-01-21 09:18 UTC] yohgaki@php.net
-Status: Closed +Status: Re-Opened
 [2014-01-21 09:18 UTC] yohgaki@php.net 
Looks like I have to modify code so that session module calls 

 php_session_reset_id(TSRMLS_C);

only once. Reopened.
 [2014-01-22 04:50 UTC] yohgaki@php.net 
Automatic comment on behalf of yohgaki
Revision: http://git.php.net/?p=php-src.git;a=commit;h=a27e51fd4e9121f962821d0f7bd1960fce0a0fd5
Log: Re-fixed bug #66469
 [2014-01-22 04:50 UTC] yohgaki@php.net
-Status: Re-Opened +Status: Closed
 [2014-01-22 04:51 UTC] yohgaki@php.net 
Automatic comment on behalf of yohgaki
Revision: http://git.php.net/?p=php-src.git;a=commit;h=383423a1ee356b102563100e99e147ce8da996c3
Log: Re-fixed bug #66469
 [2014-01-22 04:51 UTC] yohgaki@php.net 
Automatic comment on behalf of yohgaki
Revision: http://git.php.net/?p=php-src.git;a=commit;h=383423a1ee356b102563100e99e147ce8da996c3
Log: Re-fixed bug #66469
 [2014-01-22 04:51 UTC] yohgaki@php.net 
Automatic comment on behalf of yohgaki
Revision: http://git.php.net/?p=php-src.git;a=commit;h=383423a1ee356b102563100e99e147ce8da996c3
Log: Re-fixed bug #66469
 [2014-01-22 05:00 UTC] yohgaki@php.net 
Modified code so that it replaces old session cookie.
Users should not send session cookie by themselves anyway.
Replacement is required, since user may call session_regenerated_id().

Could you try it again?
 [2014-01-22 08:54 UTC] ab@php.net 
Automatic comment on behalf of yohgaki
Revision: http://git.php.net/?p=php-src.git;a=commit;h=383423a1ee356b102563100e99e147ce8da996c3
Log: Re-fixed bug #66469
 [2014-01-22 10:26 UTC] yohgaki@php.net 
Automatic comment on behalf of yohgaki
Revision: http://git.php.net/?p=php-src.git;a=commit;h=a27e51fd4e9121f962821d0f7bd1960fce0a0fd5
Log: Re-fixed bug #66469
 [2014-01-22 18:04 UTC] ab@php.net 
Automatic comment on behalf of yohgaki
Revision: http://git.php.net/?p=php-src.git;a=commit;h=a27e51fd4e9121f962821d0f7bd1960fce0a0fd5
Log: Re-fixed bug #66469
 [2014-02-12 08:46 UTC] tyrael@php.net 
Automatic comment on behalf of yohgaki
Revision: http://git.php.net/?p=php-src.git;a=commit;h=383423a1ee356b102563100e99e147ce8da996c3
Log: Re-fixed bug #66469
 [2014-02-12 08:46 UTC] tyrael@php.net 
Automatic comment on behalf of yohgaki
Revision: http://git.php.net/?p=php-src.git;a=commit;h=a27e51fd4e9121f962821d0f7bd1960fce0a0fd5
Log: Re-fixed bug #66469
 [2014-10-07 23:16 UTC] stas@php.net 
Automatic comment on behalf of yohgaki
Revision: http://git.php.net/?p=php-src-security.git;a=commit;h=a27e51fd4e9121f962821d0f7bd1960fce0a0fd5
Log: Re-fixed bug #66469
 [2014-10-07 23:27 UTC] stas@php.net 
Automatic comment on behalf of yohgaki
Revision: http://git.php.net/?p=php-src-security.git;a=commit;h=a27e51fd4e9121f962821d0f7bd1960fce0a0fd5
Log: Re-fixed bug #66469
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved. 		Last updated: Thu Nov 21 13:01:29 2024 UTC